Merge branch 'main' into svn-ssh-non-onteractive

spoorcc · web-flow · commit 16d4f3a088ce · 2026-05-27T00:00:24.000+02:00
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -1,6 +1,7 @@
 Release 0.14.0 (unreleased)
 ===========================
 
+* Warn when a project URL uses a plaintext transport scheme (#1229)
 * Documentation and threat-model clarifications for existing release attestation support (#1208)
 * Report SVN externals fetched during update (#1220)
 * Use ``.cdx.json`` as the default extension for CycloneDX SBOM reports (#1118)
diff --git a/dfetch/manifest/project.py b/dfetch/manifest/project.py
@@ -321,13 +321,38 @@
 import copy
 from collections.abc import Sequence
 from dataclasses import dataclass, field
+from urllib.parse import urlsplit, urlunsplit
 
 from typing_extensions import Required, TypedDict
 
+from dfetch.log import get_logger
 from dfetch.manifest.remote import Remote
 from dfetch.manifest.version import Version
 from dfetch.util.util import always_str_list, str_if_possible
 
+logger = get_logger(__name__)
+
+_PLAINTEXT_SCHEMES = frozenset({"http", "git", "svn"})
+
+
+def plaintext_warning(url: str) -> str:
+    """Return a warning string if *url* uses a plaintext transport, else empty string."""
+    parsed = urlsplit(url)
+    scheme = parsed.scheme.lower()
+    if scheme not in _PLAINTEXT_SCHEMES:
+        return ""
+    host = parsed.hostname or ""
+    try:
+        port = parsed.port
+    except ValueError:
+        port = None
+    netloc = f"{host}:{port}" if isinstance(port, int) else host
+    redacted_url = urlunsplit((scheme, netloc, parsed.path, "", ""))
+    return (
+        f"Project URL '{redacted_url}' uses plaintext transport ({scheme}://). "
+        "Use https:// or SSH (e.g. svn+ssh://) to prevent interception."
+    )
+
 
 @dataclass
 class Integrity:
diff --git a/dfetch/project/subproject.py b/dfetch/project/subproject.py
@@ -6,7 +6,7 @@
 from collections.abc import Callable, Sequence
 
 from dfetch.log import get_logger
-from dfetch.manifest.project import ProjectEntry
+from dfetch.manifest.project import ProjectEntry, plaintext_warning
 from dfetch.manifest.version import Version
 from dfetch.project.abstract_check_reporter import AbstractCheckReporter
 from dfetch.project.metadata import Dependency, InvalidMetadataError, Metadata
@@ -129,6 +129,8 @@ def update(
             f"Fetching {to_fetch}",
             enabled=self._show_animations,
         ):
+            if warning := plaintext_warning(self.__project.remote_url):
+                logger.print_warning_line(self.__project.name, warning)
             actually_fetched, dependency = self._fetch_impl(to_fetch)
         self._log_project(f"Fetched {actually_fetched}")
 
@@ -213,6 +215,8 @@ def check_for_update(
         with logger.status(
             self.__project.name, "Checking", enabled=self._show_animations
         ):
+            if warning := plaintext_warning(self.__project.remote_url):
+                logger.print_warning_line(self.__project.name, warning)
             latest_version = self._check_for_newer_version()
 
         if not latest_version:
diff --git a/doc/explanation/security.rst b/doc/explanation/security.rst
@@ -96,6 +96,12 @@ to reproduce a deterministic dependency state.
   allow exfiltration risks if upstream sources are compromised or intentionally
   malicious.
 
+.. note::
+
+   dfetch warns during dependency update/check operations when a project URL uses a plaintext
+   transport scheme (``http://``, ``git://``, or ``svn://``). Use ``https://``
+   or SSH (e.g. ``svn+ssh://``) to protect dependency fetches against interception.
+
 Threat Models
 -------------
 
diff --git a/features/check-svn-repo.feature b/features/check-svn-repo.feature
@@ -11,7 +11,7 @@ Feature: Checking dependencies from a svn repository
 
               remotes:
                 - name: cunit
-                  url-base: svn://svn.code.sf.net/p/cunit/code
+                  url-base: https://svn.code.sf.net/p/cunit/code
 
               projects:
                 - name: cunit-svn-rev-only
@@ -44,7 +44,7 @@ Feature: Checking dependencies from a svn repository
 
               remotes:
                 - name: cutter
-                  url-base: svn://svn.code.sf.net/p/cutter/svn/cutter
+                  url-base: https://svn.code.sf.net/p/cutter/svn/cutter
 
               projects:
                 - name: cutter-svn-tag
@@ -69,7 +69,7 @@ Feature: Checking dependencies from a svn repository
 
               remotes:
                 - name: cunit
-                  url-base: svn://svn.code.sf.net/p/cunit/code
+                  url-base: https://svn.code.sf.net/p/cunit/code
                   default: true
 
               projects:
@@ -152,7 +152,7 @@ Feature: Checking dependencies from a svn repository
 
               remotes:
                 - name: cutter
-                  url-base: svn://svn.code.sf.net/p/cutter/svn/cutter
+                  url-base: https://svn.code.sf.net/p/cutter/svn/cutter
 
               projects:
                 - name: cutter-svn-tag
diff --git a/features/fetch-svn-repo.feature b/features/fetch-svn-repo.feature
@@ -17,11 +17,11 @@ Feature: Fetching dependencies from a svn repository
 
               remotes:
                 - name: cunit
-                  url-base: svn://svn.code.sf.net/p/cunit/code
+                  url-base: https://svn.code.sf.net/p/cunit/code
                   default: true
 
                 - name: cutter
-                  url-base: svn://svn.code.sf.net/p/cutter/svn/cutter
+                  url-base: https://svn.code.sf.net/p/cutter/svn/cutter
 
               projects:
                 - name: cunit-svn-rev-only
diff --git a/features/freeze-projects.feature b/features/freeze-projects.feature
@@ -44,7 +44,7 @@ Feature: Freeze dependencies
               projects:
                 - name: cunit-svn
                   vcs: svn
-                  url: svn://svn.code.sf.net/p/cunit/code
+                  url: https://svn.code.sf.net/p/cunit/code
 
             """
         And all projects are updated
@@ -59,7 +59,7 @@ Feature: Freeze dependencies
                 branch: trunk
                 revision: '176'
                 vcs: svn
-                url: svn://svn.code.sf.net/p/cunit/code
+                url: https://svn.code.sf.net/p/cunit/code
 
             """
 
diff --git a/features/list-projects.feature b/features/list-projects.feature
@@ -58,7 +58,7 @@ Feature: List dependencies
 
               projects:
                 - name: cutter-svn-tag
-                  url: svn://svn.code.sf.net/p/cutter/svn/cutter
+                  url: https://svn.code.sf.net/p/cutter/svn/cutter
                   tag: 1.1.7
                   vcs: svn
                   src: acmacros
@@ -71,7 +71,7 @@ Feature: List dependencies
             Dfetch (0.13.0)
               cutter-svn-tag:
               - remote            : <none>
-                remote url        : svn://svn.code.sf.net/p/cutter/svn/cutter
+                remote url        : https://svn.code.sf.net/p/cutter/svn/cutter
                 branch            : <none>
                 tag               : 1.1.7
                 last fetch        : 29/12/2024, 20:09:21
diff --git a/features/patch-after-fetch-svn.feature b/features/patch-after-fetch-svn.feature
@@ -12,7 +12,7 @@ Feature: Patch after fetching from svn repo
 
                 remotes:
                 - name: cutter
-                  url-base: svn://svn.code.sf.net/p/cutter/svn/cutter
+                  url-base: https://svn.code.sf.net/p/cutter/svn/cutter
 
                 projects:
                 - name: cutter
@@ -46,7 +46,7 @@ Feature: Patch after fetching from svn repo
 
                 remotes:
                 - name: cutter
-                  url-base: svn://svn.code.sf.net/p/cutter/svn/cutter
+                  url-base: https://svn.code.sf.net/p/cutter/svn/cutter
 
                 projects:
                 - name: cutter
diff --git a/pyproject.toml b/pyproject.toml
@@ -83,7 +83,7 @@ development = [
     "tomli; python_version < '3.11'", # Tomllib is default in 3.11, required for letting codespell read the pyproject.toml
     'pre-commit==4.6.0',
     'ruff==0.15.14',
-    'hypothesis==6.152.9',
+    'hypothesis==6.152.10',
     'import-linter==2.11',
 ]
 docs = [
diff --git a/security/tm_usage.py b/security/tm_usage.py
@@ -370,7 +370,7 @@ def _make_usage_vcs_dataflows(
         "``git fetch`` over ``http://`` or SVN over ``svn://`` (plain, non-TLS).  "
         "dfetch accepts these protocols without enforcement - no TLS check in manifest "
         "schema.  Traffic is unencrypted; MITM can substitute repository content.  "
-        "RECOMMENDATION: restrict manifest URLs to HTTPS / svn+https:// / SSH."
+        "RECOMMENDATION: restrict manifest URLs to ``https://`` or ``svn+ssh://``."
     )
     df03_plain.protocol = "HTTP / SVN"
     df03_plain.controls.isEncrypted = False
@@ -958,6 +958,24 @@ def build_model() -> TM:
             "rejects control characters in all string fields."
         ),
     ),
+    Control(
+        id="C-009",
+        name="Plaintext transport detection",
+        assets=["A-09", "A-22"],
+        threats=["DFT-26"],
+        reference="dfetch/manifest/project.py, dfetch/project/subproject.py",
+        description=(
+            "``plaintext_warning()`` (``dfetch/manifest/project.py``) inspects the "
+            "resolved remote URL immediately before each VCS command is issued "
+            "(inside the ``check_for_update`` and ``update`` spinners in "
+            "``subproject.py``).  If the scheme is ``http://``, ``git://``, or "
+            "``svn://``, a visible warning is emitted naming the redacted URL "
+            "(credentials stripped from the userinfo component) and recommending "
+            "``https://`` or ``svn+ssh://``.  "
+            "Detection only — dfetch still proceeds with the plaintext connection; "
+            "the control raises user awareness but does not enforce scheme selection."
+        ),
+    ),
     Control(
         id="C-034",
         name="Hash algorithm allowlist (SHA-256/384/512 only)",
@@ -1291,15 +1309,15 @@ def build_model() -> TM:
     ),
     ThreatResponse(
         "DFT-26",
-        "accept",
+        "mitigate",
         risk="High",
         stride=["Tampering", "Information Disclosure"],
         note=(
-            "dfetch accepts ``http://``, ``svn://``, and other non-TLS scheme URLs; "
-            "HTTPS enforcement is the manifest author's responsibility.  "
-            "Accepted based on the **No HTTPS enforcement** assumption: HTTPS enforcement "
-            "is the responsibility of the manifest author; dfetch accepts non-TLS scheme "
-            "URLs as written and does not upgrade or reject them."
+            "C-009 emits a visible warning immediately before the VCS command when a "
+            "plaintext scheme (``http://``, ``git://``, ``svn://``) is detected, "
+            "with credentials redacted and ``https://`` / ``svn+ssh://`` recommended.  "
+            "Detection only — dfetch does not reject or upgrade plaintext URLs; "
+            "scheme selection remains the manifest author's responsibility."
         ),
     ),
     ThreatResponse(
diff --git a/tests/test_manifest.py b/tests/test_manifest.py
@@ -18,7 +18,7 @@
     RequestedProjectNotFoundError,
 )
 from dfetch.manifest.parse import find_manifest, get_submanifests
-from dfetch.manifest.project import ProjectEntry, ProjectEntryDict
+from dfetch.manifest.project import ProjectEntry, ProjectEntryDict, plaintext_warning
 from dfetch.manifest.remote import Remote
 
 BASIC_MANIFEST = """
@@ -406,6 +406,36 @@ def test_remove_last_project_updates_manifest_with_empty_list() -> None:
     assert not manifest.projects
 
 
+# ---------------------------------------------------------------------------
+# Plaintext URL transport warnings (DFT-01)
+# ---------------------------------------------------------------------------
+
+
+@pytest.mark.parametrize(
+    "plaintext_url",
+    [
+        "http://git.example.com/org/repo",
+        "git://git.example.com/org/repo",
+        "svn://svn.example.com/repo/trunk",
+    ],
+)
+def test_plaintext_warning_for_plaintext_scheme(plaintext_url: str) -> None:
+    """plaintext_warning returns a non-empty message for plaintext schemes."""
+    assert "plaintext transport" in plaintext_warning(plaintext_url)
+
+
+def test_plaintext_warning_empty_for_https() -> None:
+    """plaintext_warning returns empty string for HTTPS URLs."""
+    assert plaintext_warning("https://git.example.com/org/repo") == ""
+
+
+def test_plaintext_warning_redacts_credentials() -> None:
+    """Credentials embedded in a plaintext URL are not exposed in the warning."""
+    warning = plaintext_warning("http://user:secret@git.example.com/repo")
+    assert "plaintext transport" in warning
+    assert "secret" not in warning
+
+
 # ---------------------------------------------------------------------------
 # Empty manifest (no projects key)
 # ---------------------------------------------------------------------------

Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,7 @@ development = [`
`83`	`83`	`"tomli; python_version < '3.11'", # Tomllib is default in 3.11, required for letting codespell read the pyproject.toml`
`84`	`84`	`'pre-commit==4.6.0',`
`85`	`85`	`'ruff==0.15.14',`
`86`		`- 'hypothesis==6.152.9',`
	`86`	`+ 'hypothesis==6.152.10',`
`87`	`87`	`'import-linter==2.11',`
`88`	`88`	`]`
`89`	`89`	`docs = [`